1. Field
The following description relates to technology for detecting malicious applications (hereinafter referred to as ‘app’), and more specifically, to an apparatus and method for detecting a malicious action through the generation of a dynamic action graph of the app installed in a mobile terminal.
2. Description of the Related Art
As smartphones are widely used, mobile financial fraud rapidly increases. As well as phishing and pharming, attacks of SMS phishing (SMiShing) are recently increasing, which is an act of attempting to induce users to install a malicious app (Android application package (APK) file and malware) on their mobile phones, request personal information, or to induce the users to make a small payment with a mobile phone.
The SMiShing attack is one of the mobile financial fraud techniques to install a malicious app on a mobile terminal with or without a user's consent, wherein the malicious app may execute a personal information leakage, message extortion and delivery, etc. In order to prevent these SMiShing in advance, it is necessary to develop technology for analyzing and detecting a malicious action of a mobile app.
A recent detection technique based on signature of a mobile anti-virus vaccine for the detection and action of a malicious app is the one to make a signature of binary of the malicious app and register, thereby checking and detecting whether a certain app has the signature. However, it is possible to continuously create a malicious app with a tool that is comparatively easy to use, and a code executing a malicious action is shared among hackers, thereby rapidly increasing the number of malicious apps. However, with a recent signature-based detection technique, there is a limit in the analysis and detection.
Moreover, as a method of analyzing a malicious action of a mobile app, there is a static analysis method and a dynamic analysis method. Since the static analysis method is to analyze the app without running the app, it has an advantage in that it does not take much time to analyze the app and is safe. However, a recent malicious app has a code obfuscation technology being applied thereto, or when being installed, it is a normal app, but in the process of actually running the app, the malicious app downloads and executes external files (libraries, etc.) to perform malicious actions. In this case, the static analysis method has a disadvantage of having difficulties in precisely analyzing the app. Meanwhile, the dynamic analysis method is to analyze the action while running the app in an environment, such as a virtual machine, and it has an advantage of actually detecting a precise action. However, using the dynamic analysis method relatively may take much more time than using the static analysis method, and there is a disadvantage of making an experiment in an environment of various vendors and various mobile operating systems that are continuously updated.